An analysis of cybersecurity attacks published today by the X-Force arm of IBM finds there was a 44% increase in the exploitation of public-facing applications in 2025. More troubling still, out of the 40,000 vulnerabilities tracked by IBM X-Force, more than half (56%) didn’t require any type of authentication for an attacker to bypass before..

The post IBM X-Force Report Surfaces Increased Exploitation of Public-Facing Apps appeared first on Security Boulevard.

Summary

Broadcom has released a security bulletin, VMSA-2025-0004, addressing and remediating three vulnerabilities that, if exploited, could lead to system compromise. Products affected include vCenter Server, vRealize Operations Manager, and vCloud Director.

Threat Topography

• Threat Type: Critical Vulnerabilities
• Industry: Virtualization
• Geolocation: Global

Overview

X-Force Incident Command is monitoring activity surrounding Broadcom’s Security Bulletin (VMSA-2025-0004) for three potentially critical vulnerabilities in VMware products. These vulnerabilities, identified as CVE-2025-22224, CVE-2025-22225, and CVE-2025-22226, have reportedly been exploited in attacks. X-Force has not been able to validate those claims. The vulnerabilities affect various VMware products, including vCenter Server, vRealize Operations Manager, and vCloud Director.

These vulnerabilities could allow attackers to launch various types of nefarious actions, potentially leading to data breaches, system compromise, and unauthorized access. Broadcom has patched the vulnerabilities with a new version of the affected products, urging users to update their systems as soon as possible.

Recommendations

Organizations using VMware products are advised to:

1. Immediately patch their systems with the latest version of the affected products.

2. Monitor system logs for any signs of suspicious activity.

3. Implement additional security measures, such as network segmentation and access controls.

References

1. https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/25390

2. https://www.bleepingcomputer.com/news/security/broadcom-fixes-three-vmware-zero-days-exploited-in-attacks/

3. https://thehackernews.com/2025/03/vmware-security-flaws-exploited-in.html

The post FYSA — VMware Critical Vulnerabilities Patched appeared first on Security Intelligence.

Organizations often set up security rules to help reduce cybersecurity vulnerabilities and risks. The 2024 Cost of a Data Breach Report discovered that 40% of all data breaches involved data distributed across multiple environments, meaning that these best-laid plans often fail in the cloud environment.

Not surprisingly, many organizations find keeping a robust security posture in the cloud to be exceptionally challenging, especially with the need to enforce security policies consistently across dynamic and expansive cloud infrastructures. The recently released X-Force Cloud Threat Landscape 2024 Report delved into which specific rules are most commonly failing. By understanding key vulnerabilities, organizations can then figure out the best approach for reducing their risks.

“Regulations are increasing, requiring organizations to implement more compliance policies with security top of mind, which puts a lot of overhead on these organizations,” says Mohit Goyal, Product Management at Red Hat Insights. “The Compliance service within Red Hat Insights provides a more elegant way to manage and deploy these policies on systems to get ahead of any gaps.”

Environment influences failure of security rules

During the research, X-Force analyzed two sets of data across the cloud — one set operating in 100% cloud-only environments and the other with a hybrid of 50% to 99% of their Red Hat Enterprise Linux (RHEL) systems in the cloud. Interestingly, researchers found a different set of most failed rules for each of the two different groups.

Goyal says that the team intentionally looked at both environments because Red Hat caters to customers across the hybrid cloud. During the research, the team discovered that in the 100% cloud group, security rules often failed due to misconfiguring assets, meaning that organizations should focus on configuration guidelines. Meanwhile, in the hybrid environment, most failed rules revolved around authentication and cryptography policies.

When asked who is often responsible for the configurations, Goyal says it varies at different organizations. At smaller companies, a single employee often wears multiple hats. However, at larger organizations, the roles are typically well defined with multiple people involved — for example, a system administrator, a security/risk administrator and a compliance administrator.

Top failed rules in organizations with 100% cloud systems

Researchers found that in situations where all data was stored in the public cloud, the most commonly failed rule was configuration and security guidelines for Linux systems. Researchers described this rule as focusing on configuring essential security and management settings in Linux systems. Examples include setting the default zone for the firewall and isolating the /tmp directory on a separate partition to enhance security and manage disk space effectively. The mitigation is configuring the default zone for the firewall service to make sure the network security is properly configured in Red Hat-based systems.

Other top failed rules include:

• Secure mount options for critical directories
• User home directory management
• Service management
• NFS service management

Read the Cloud Threat Landscape Report

Top failed rules in organizations with hybrid environments

After analyzing data within a hybrid environment, researchers found that authentication and cryptography policies often failed. These rules focus on standardizing and securing authentication mechanisms and cryptographic requirements in a given policy. Organizations set these rules to ensure consistent and strong security practices across the system. The mitigation involves authselect to standardize and simplify the management of authentication settings.

Other commonly failed rules in hybrid environments include:

• Account and SSH configuration
• SSH security measures
• Umask configuration
• Process debugging restrictions

Why mitigation commonly fails

Because each rule contains mitigation, a common question from the report was why mitigations so often fail. But the answer is not a simple one. The reasons can include a wide range of factors, including misconfiguration, lack of training and different environments.

“Security, in general, is a complex area, and with the threat landscape constantly changing and evolving, it’s hard to maintain the status quo,” Goyal says. “As new technologies and new requirements come into play and the footprint increases, it ultimately leads to a lot of complexity.”

Goyal predicts that the policies are going to increase in number and only become more complex. Organizations need solutions to keep their head wrapped around the complexities in a way that reduces the burden of operational overhead. By highlighting the gaps, leaders can understand where the risk lies and create a plan to close those gaps.

Reducing rule failures

Confirming that all rules are followed and the mitigation is used correctly when a rule fails is time-consuming, explains Goyal. At large enterprises, cybersecurity professionals bear a lot of burden with complex processes. Team members must constantly optimize and check for security while also completing other tasks. Organizations are increasingly turning to Ansible automation, such as with Red Hat Insights, for more effective and efficient remediation.

With Red Hat Insights, an organization can deploy its compliance policies (i.e.: a PCI or HIPAA data governance policy, etc.) on RHEL systems. After analyzing these systems, Insights then displays the level of compliance/non-compliance of the systems to the organization’s policies; it also recommends actions to address the non-compliance. Organizations can select to deploy the Ansible playbook on the systems with just a few clicks to become compliant again. Because the process is automated, it’s more effective and efficient than manually identifying and remediating each system separately.

“Large enterprises need this ability to help keep their costs in control and prevent security gaps from being exploited by bad actors,” says Goyal.

Cloud security: A shared responsibility

Because multiple organizations are involved in a cloud environment, a key question is often about who bears the responsibility for security — the organization or the vendor. Goyal says that security is a dual responsibility.

“As a vendor to our customer, there is a responsibility to make sure they have a product that is built with its security posture front-and-center and has feature-rich functionality that allows organizations to effectively manage their organizational IT security strategy. However, they have to also configure and deploy the product correctly,” says Goyal. “Additionally, organizations need to make sure that their cloud provider emphasizes operational security. At the same time, organizations also need to take ownership for the security of the configurable components of their environment.”

The post 2024 Cloud Threat Landscape Report: How does cloud security fail? appeared first on Security Intelligence.

IBM’s X-Force team recently released the latest edition of the Cloud Threat Landscape Report for 2024, providing a comprehensive outlook on the rise of cloud infrastructure adoption and its associated risks.

One of the key takeaways of this year’s report was focused on the gradual decrease in Software-as-a-Service (SaaS) platforms being mentioned across dark web marketplaces. While this trend potentially points to more cloud platforms increasing their defensive posture and limiting the number of exploits or compromised credentials that are surfacing, there are a few other factors to consider.

Sudden decrease in SaaS mentions across the dark web

In a recent collaboration with Cybersixgill, a leading dark web intelligence firm, IBM’s X-Force provided updated statistics in its recent Cloud Threat Landscape Report surrounding the number of SaaS solutions mentioned across the dark web.

Surprisingly, even though compromised cloud solutions are still highly relevant and valuable assets when creating sellable assets across dark web marketplaces, the number of SaaS platforms being mentioned dropped by an average of 20.4% year-over-year.

Among some of the highest reductions was WordPress-Admin, declining nearly 98% between 2023 and 2024, followed by Microsoft Active Directory and ServiceNow, which saw a 44% and 38% decline, respectively.

While the majority of SaaS platforms mentioned decreased year-over-year, Microsoft TeamViewer was an outlier. Even though the platform only represented 1.8% of all of the mentioned SaaS solutions, it still saw an increase of 9% between 2023 and 2024.

Read the Cloud Threat Landscape Report

What are the potential contributors to less SaaS mentions?

The decreased activity in SaaS mentions initially points to a potentially emerging trend in the sophistication of modern-day cybersecurity solutions. However, as with all first-year statistical report shifts, it’s important to consider all calculation variables and contributing factors.

To help shed some more light on these figures, Colin Connor, a member of IBM’s X-Force team, was interviewed to provide additional perspective. When asked to comment on the potential driver of this dark web trend shift, Connor states, “These statistics appear to be an overall trend that was also referenced in the decrease in total compromised credentials sold during the same reporting period. This also coincides with the takedown of Raccoon Stealer, which caused a prolonged decrease in credential sales from July 2023 onward.”

Racoon Stealer was one of the most widely used infostealer malware that dominated the majority of the dark web market share for credential stealers starting in 2022 but was taken down by the FBI in August of 2023.

Commenting on the overall impact Racoon Stealer had on the year-over-over statistics of this report, Connor says, “During its peak in March 2023, was nearly 87% of the source of stolen logs and accounted for almost 50% of the stolen credentials in our 2023 collection. It’s also important to remember that the majority of dark web credentials sold are stolen from infostealer malware. So, this takedown of Raccoon had a dramatic effect. The marketplace continues to recover — from 192,000 credential sets overall for sale in July 2023 to 721,000 in July 2024. It also has yet to recover from the peak in March 2023 — which equated to 1.2 million credential sets for sale.”

Will there be a resurgence of compromised SaaS platforms in the near future?

According to IBM’s X-Force team, while the year-over-year decline of SaaS mentions on the dark web is positive — pointing to increased law enforcement actions against major dark web marketplaces and enhanced security measures being taken by large enterprises — it’s critical not to allow this to let organization’s guard down.

When asked about what the most recent Raccoon Stealer takedown means for the shifting dark web market dynamics, Connor states, “Racoon’s ability to recover in 2024 was limited, but what we’re seeing is that the relatively smaller players are starting to grow… We saw that Luma, RisePro and Stealc have now become major players… Luma especially took a huge step up, showing a 241% in popularity in Q3.”

It’s still too early to know if these previously smaller players will have the stamina to create disruptions similar to Raccoon Stealer across the dark web in the next couple of years. There is also the possibility that Racoon Stealer will see some form of recovery in the future.

The important thing is that organizations don’t become complacent in their proactive security planning. IBM’s X-Force team recommends that all organizations continue to conduct comprehensive security testing across their on-premise and cloud infrastructure while regularly strengthening their incident response capabilities. This helps to ensure that even when trends begin to shift, organizations can mitigate their risks of having systems or networks compromised.

The post Cloud threat report: Why have SaaS platforms on dark web marketplaces decreased? appeared first on Security Intelligence.

Summary

Adobe has released a security bulletin (APSB24-107) addressing an arbitrary file system read vulnerability in ColdFusion, a web application server. The vulnerability, identified as CVE-2024-53961, can be exploited to read arbitrary files on the system, potentially leading to unauthorized access and data exposure.

Threat Topography

• Threat Type: Arbitrary File System Read
• Industries Impacted: Technology, Software, and Web Development
• Geolocation: Global
• Environment Impact: Web servers running ColdFusion 2021 and 2023 are vulnerable

Overview

X-Force Incident Command is monitoring the disclosure of an arbitrary file system read vulnerability in ColdFusion, a web application server, that can be exploited by an attacker to read arbitrary files on the system. The vulnerability, identified as CVE-2024-53961, affects ColdFusion 2021 and 2023. Adobe has provided a patch to address the issue. Adobe has also disclosed that proof of concept exploit code has been published for this vulnerability, making it crucial for organizations to prioritize patching to mitigate the risk of unauthorized access and data exposure. Exploitation has not yet been detected in the wild.

X-Force Incident Command recommends that organizations using ColdFusion review the Adobe bulleting and prioritize patching if running vulnerable versions of the software. Additionally, they should also consider implementing access controls and authentication mechanisms to limit unauthorized access to sensitive data.

X-Force Incident Command will continue to monitor this situation and provide updates as available.

Key Findings

• The vulnerability, CVE-2024-53961, affects ColdFusion 2021 and 2023.
• The vulnerability can be exploited to read arbitrary files on the system.
• Adobe has provided a patch to address the issue.
• The vulnerability can potentially lead to unauthorized access and data exposure.

Mitigations/Recommendations

• Apply the patch provided by Adobe as soon as possible.
• Implement access controls and authentication mechanisms to limit unauthorized access to sensitive data.
• Monitor systems for any signs of exploitation.
• Prioritize patching and vulnerability remediation to mitigate the risk of exploitation.
• Consider implementing file system monitoring and logging to detect and prevent unauthorized file access.

References

• https://helpx.adobe.com/security/products/coldfusion/apsb24-107.html
• https://www.bleepingcomputer.com/news/security/adobe-warns-of-critical-coldfusion-bug-with-poc-exploit-code/

The post FYSA – Adobe Cold Fusion Path Traversal Vulnerability appeared first on Security Intelligence.